Header bannerHeader banner
January 24, 2024

Protecting Software Supply Chains: Binarly’s 2023 in Review

Alex Matrosov

For Binarly, 2023 was a magical year. Our research team led the way in finding and fixing hundreds of high-impact firmware vulnerabilities; we released the first version of our Binarly Transparency Platform product with groundbreaking protection for the firmware supply chain ecosystem; we won recognition for our innovations at Black Hat; added multiple large enterprise customers while doubling our ARR (Annual Recurring Revenue).

The Binarly REsearch team uncovered a massive number of firmware vulnerabilities with our technologies, and the sheer volume of CVEs and bugs we reported became too numerous to count. In general, the number of CVEs grows significantly every year and correlates with the complexity of the software stack in general.

Figure 1

Forecasting Common Vulnerability Exposures for 2024 (source)

The most important lesson we learned in 2023 is that software complexity, especially at the firmware layer, never stops growing and existing security tools are focused mainly on source code analysis, which involves searching for straightforward patterns in text.

Existing static analysis tools and software composition analysis (SCA) use basic approaches to analyze the code, which is developed to solve different types and scales of the problems we are facing today in the software supply chain. But the worst is the number of noise produced by existing tools when vulnerabilities are scoped based on the version of the component and mapped to the related CVEs to this version from the National Vulnerability Database (NVD).

The main question becomes: How are all these vulnerabilities related to my software or inventory? Most of the firmware software supply chain security tooling can’t answer this question, leaving enterprise security teams with an alert fatigue problem without actionable responses to the findings.

A perfect example of this problem is the LogoFAIL set of vulnerabilities, which represent many vulnerabilities mapped by the vendors to a single CVE, which clearly will create cases when this CVE will be claimed as fixed by the vendor but not all the issues are actually fixed. That’s exactly what we currently see happening in the industry (the recent example of Ivanti and Juniper Networks vulnerabilities being exploited in the wild).

Figure 2

Early in the Binarly journey, we realized that the existing approaches cannot keep pace with the scale of the problem. We need different approaches to solve software supply chain challenges at scale.

One of the eye-opening moments for me was when I realized that during my career working for a few different silicon vendors, there was no tool beyond Hex-Rays IDA at the time to perform binary analysis and vulnerability validation for product security teams. And, of course, it was completely manual or with custom automation around available APIs. But that was far from a scalable and robust approach I was hoping to find. That’s one of the reasons why I decided to create Binarly to focus on and solve these problems not just for a single vendor but at scale for the entire industry.

From day one, we were laser focused on building the technology to solve the software supply chain problems differently. We want to go beyond finding already known vulnerabilities with our FwHunt technology, to uncover and validate unknown issues and newer classes of problems.

We call this technology Deep Vulnerability Analysis (DVA), capable of finding known issues where the class of the problems is known, and pinpointing variants related to this particular class of vulnerabilities. We ended up finding so many issues that Binarly has so far disclosed more firmware bugs than the entire industry for the last ten years (based on NVD data).

We started 2023 with a massive disclosure of the Qualcomm reference code-related vulnerabilities impacting a massive number of ARM-based enterprise devices. After the release of the Binarly Transparency Platform v1.0, we were kept busy helping early adopters and new customers to integrate product capabilities into their workflows, asset management systems, or procurement process of onboarding new hardware.

The most important achievement for the entire Binarly team is that our product really works. We do not blindly claim that we have many data points based on Binarly vulnerability and threat discoveries over the last year. We have indeed built a product that represents a more proactive next-generation approach to responding to the exponentially growing software supply chain security risks.

Just have a look at what we have been up to for the entire last year!

Figure 3

Check if you are affected by the XZ backdoor